PRIVACY POLICY OF "GYM HUB" LTD The protection of personal data and the safeguarding of our clients' personal and financial information is particularly important to us. Therefore, we process your information solely based on applicable legislation, specifically the General Regulation 2016/670 (better known as GDPR), the Personal Data Protection Act (PDPA), and the E-Commerce Act (ECA). Please review our policy, in which we inform you about the most important aspects of the processing of your data by "GYM HUB" LTD (hereinafter referred to as We or the Company). In this declaration, we inform you about the most important aspects of the processing of your data on our website. With it, we also inform you about the terms and legal bases for collecting, processing, storing, using, destroying, and protecting your personal information, to the extent that you do not give us your explicit consent to do so. What happens to your data after you contact us? When you conclude a contract or write to us through the form on our website, through any of the other means of remote communication, or send us an email, we store your data for the period necessary to process your request, as well as to answer your subsequent questions. We will not share this information with third parties without your explicit consent! Storage of Your Data We note that in order to facilitate the process of concluding and subsequently performing the contract with you, we store your IP address, as well as your name, address, email address, and data about the payment method you used, for example, your credit card number. The data you provide is necessary for us to fulfill our pre-contractual or contractual obligations towards you. We do not provide this data to third parties, except for: – our accountant and the company that is our data processor according to GDPR, with whom we have the relevant agreement. Upon completed order and fulfilled contract on our part, based on Art. 6, para. 1, letters (a) and (b) of GDPR, we store all data related to the legal relationship until the expiration of the term provided for in Art. 12 of the Accountancy Act. Information about the personal data administrator: "Gym Hub" Ltd. is a company registered in the Commercial Register of the Registry Agency with Unified Identification Code (EIC) 208540609, with registered office and management address: Sofia, postal code 1606, Krasno selo district, Kriva reka area, 19 "Yakov Kraikov" str., floor 3, ap. 5. "Gym Hub" operates through the website gymhub.bg and all its subpages, hereinafter referred to as the "Site". Contact details: Phone number: 0897949990; Email address: support@gymhub.bg In the following paragraphs, you will find detailed information regarding the processing of your personal data depending on the basis on which we process it. What is personal data? Personal data is any information or set of information that identifies you or could be used to identify you within the meaning of Regulation (EU) 2016/679 (hereinafter "Regulation"). Processing of personal data includes any action or set of actions that can be performed regarding personal data by automatic or other means such as collection, recording, organizing, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. In compliance with the provisions of the Electronic Document and Electronic Trust Services Act (EDETSA), "Gym Hub" Ltd. maintains and stores for a period of 1 (one) year a log file of every user who has filled out and submitted the electronic form for a service request on the site or an electronic form for profile registration. The log file contains the date, browser (web or mobile) and IP address, data from the electronic form: first and last name, e-mail address, phone, gender, and password. After 1 year, the data is pseudonymized, which does not allow identification of the specific User with the data. Grounds and purposes for which we use your personal data We process your personal data on the following grounds: Conclusion and execution of the contract concluded between us and you in order to fulfill our obligations under it; Direct marketing (with explicit consent given for this); For a statutory obligation; In the following paragraphs, you will find detailed information regarding the processing of your personal data depending on the basis on which we process it. FOR THE PERFORMANCE OF A CONTRACT OR IN THE CONTEXT OF PRE-CONTRACTUAL RELATIONS We process your personal data to fulfill contractual and pre-contractual obligations and to exercise rights under contracts concluded with you. Purposes of processing: · establishing your identity; · managing and executing your request and performing a concluded contract; · preparing an offer for concluding a contract; · preparing and sending a bill/invoice for the services you use with us; · to provide you with the necessary comprehensive service, as well as to collect due amounts for the services used; · keeping correspondence related to a service used, reporting problems, etc. · notification of everything related to the services you use with us; · analysis of customer history; · establishing and/or preventing unlawful actions or actions contrary to our terms for the respective services; Data we process on this basis: Based on the contract concluded between us and you, we process information about the type and content of the contractual relationship, as well as any other information related to the contractual legal relationship, including: · personal contact details – contact address, email, phone number; · identification data – full name and, if necessary, personal identity number or foreigner's personal number; · data about the place and time of using the service; · correspondence related to the overall service – emails, letters, information about your requests for problem resolution, complaints, requests, grievances, feedback we receive from you; · information about bank account number or other bank and payment information related to payments made; · other information such as: customer number, code, or other identifier created for identification; IP address (registered profile) when visiting our website; Information from your actions on the site. The processing of the specified personal data is mandatory for us in order to conclude the contract with you and perform it. Without you providing the above data, we would not be able to fulfill our contractual obligations. In the course of providing our services for the preparation of individual training programs and dietary regimens, we may process certain information related to your physical condition, which is considered a special category of personal data within the meaning of Art. 9 of Regulation (EU) 2016/679 (GDPR). We collect only information that is necessary for personalizing your training and/or dietary regimen, such as: · weight, height, age, level of physical activity; · goals (e.g., weight loss, muscle gain, improving endurance); · dietary preferences, allergies, and intolerances; · existing injuries or other physical limitations relevant to creating a safe program. · blood pressure and blood test data. We do not require or process medical diagnoses, laboratory results, or other information intended solely for medical specialists. The data is processed solely for the purpose of preparing and providing a personalized training and/or dietary plan, as well as for subsequent communication with the client regarding the service. The processing of health information is carried out only based on your explicit consent under Art. 9, §2, letter (a) of GDPR. Consent is given through an active choice (checkbox) before concluding a contract for the provision of the service and can be withdrawn at any time, without affecting the lawfulness of the previous processing. The data is stored for a period of up to 12 (twelve) months after the termination of the contract or until the withdrawal of consent, after which it is deleted or anonymized. Only the trainers and specialists engaged in preparing the program have access to the health information. The data is stored in electronic form with the application of appropriate technical and organizational security measures, including access control, encryption, password protection, and secure servers. You have the right to request access, correction, restriction, or deletion of the provided health data, as well as to withdraw your consent. For this purpose, you can contact us at email: support@gymhub.bg Our services do not constitute medical practice. The content, including training and dietary recommendations, is informational and advisory in nature and should not be considered medical advice or a substitute for consultation with a doctor. Do we provide personal data to third parties? We provide your personal data to third parties, with our main goal being to offer you quality, fast, and comprehensive service. We do not provide your personal data to third parties before ensuring that all technical and organizational measures for the protection of this data have been taken, and we strive to exercise strict control to achieve this goal. In this case, we remain responsible for the confidentiality and security of your data. We provide personal data to the following categories of recipients (data controllers): · persons who, by assignment, maintain equipment, software, and hardware used for processing personal data and necessary for the Company's activity; · courier services for the purposes of delivering ordered products; · subcontractors engaged with specific services under the contract. When do we delete data collected on this basis? Data collected on this basis is deleted 5 years after the termination of the contractual relationship, whether due to the expiration of the contract, performance, termination, or other grounds. FOR THE PERFORMANCE OF REGULATORY OBLIGATIONS It is possible that the law provides for an obligation for us to process your personal data. In these cases, we are obliged to carry out the processing, such as: Obligations under the Measures Against Money Laundering Act; Providing information to the Commission for Consumer Protection or third parties provided for in the Consumer Protection Act; Providing information to the Commission for Personal Data Protection in connection with obligations provided for in the regulatory framework for personal data protection; Obligations provided for in the Accountancy Act and the Tax and Social Security Procedure Code and other related regulations, in connection with maintaining lawful accounting; Providing information to the court and third parties, within court proceedings, according to the requirements of the regulations applicable to the proceedings; When do we delete personal data collected on this basis? Data collected according to a statutory obligation is deleted after the obligation for collection and storage is fulfilled or ceases. For example: under the Accountancy Act for the storage and processing of accounting data (11 years), obligations to provide information to the court, competent state authorities, and other grounds provided for in the current legislation (5 years). Provision of data to 3rd parties When an obligation is provided for by law for us, it is possible to provide your personal data to the competent state authority, individual, or legal entity. UPON YOUR CONSENT We process your personal data on this basis only after explicit, unambiguous, and voluntary consent from you. We will not foresee any adverse consequences for you if you refuse the processing of personal data. Consent is a separate basis for processing your personal data and the purpose of the processing is specified in it and is not covered by the purposes listed in this policy. If you give us the relevant consent and until its withdrawal or termination of any contractual relations with you, we prepare suitable offers for products/services for you, by performing detailed analyses of your basic personal data. Detailed analyses is a method of performing analysis that allows the processing of large volumes of data through statistical models and algorithms and others, which include the use of personal data, as well as processes of pseudonymization and anonymization of the same, for the purpose of extracting information about trends and various statistical indicators. Marketing communication and messages Once you have purchased a service from the Site, registered, and agreed to the general terms, subscribed to the newsletter, or left a comment, we will continue to provide you with up-to-date information about our services by sending messages (by email, Viber, SMS) or phone call. If you do not wish to receive messages or emails from us about promotions, prices, and new opportunities, you can withdraw your consent by sending a message refusing to receive marketing communication to e-mail: support@gymhub.bg or by pressing the "Unsubscribe" button. Data we process for the purposes of direct marketing On this basis, we process only the data for which you have given us your explicit consent. The specific data is determined for each individual case. Usually, this data is email address, names, phone number. Provision of data to third parties On this basis, we may provide your data to marketing agencies, Facebook, Instagram, Google, or similar. Withdrawal of consent The provided consents can be withdrawn at any time by sending an electronic message to e-mail: support@gymhub.bg The withdrawal of consent does not affect the performance of contractual obligations. If you withdraw your consent for the processing of personal data for any or all of the ways described above, we will not use your personal data and information for the specified purposes. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. When do we delete data collected on this basis? Data collected on this basis is deleted upon your request or 12 months after their initial collection. Why and how we use automated algorithms For the processing of your personal data, we use partially automated algorithms and methods with the aim of continuously improving our services to adapt our services to your needs in the best possible way. This process is called profiling. How we protect your personal data To ensure adequate protection of the company's and its clients' data, we apply all necessary organizational and technical measures provided for in GDPR and the Personal Data Protection Act. We have adopted the necessary internal policies. Our employees are familiar with the requirements regarding the protection of your personal data. The processing is reduced to the minimum data necessary to achieve the respective goals. We have introduced multiple measures for the effective application of the data protection principles, including but not limited to: • guaranteeing constant confidentiality, integrity, availability, and resilience of the processing systems and services; • measures in case of a physical or technical incident for timely restoration of the availability and access to personal data; • an internal process of regular testing, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing; • technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. To ensure adequate protection of the Company's and its clients' data, we apply the necessary organizational and technical measures provided for in the Personal Data Protection Act and the General Data Protection Regulation. The Company has established structures for preventing abuses and security breaches, which support the processes of preserving and ensuring the security of your data. For maximum security in the processing, transmission, and storage of your data, we may use additional protection mechanisms such as encryption, pseudonymization, etc. Rights of Users Every User of the site enjoys all rights for the protection of personal data according to Bulgarian legislation and European Union law. The User can exercise their rights by sending a message to our email. Every User has the right to: · Information (regarding the processing of their personal data by the administrator); · Access to their own personal data; · Correction (if the data is inaccurate); · Deletion of personal data (right "to be forgotten"); · Restriction of processing by the administrator or data processor; · Portability of personal data between different administrators; · Objection to the processing of their personal data; The data subject also has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them. The User can request deletion if one of the following conditions is present: ● The personal data is no longer necessary for the purposes for which it was collected or otherwise processed; ● The User withdraws their consent on which the data processing is based and there is no other legal basis for the processing; ● The User objects to the processing and there are no overriding legitimate grounds for the processing; ● The personal data has been processed unlawfully; ● The personal data must be deleted to comply with a legal obligation under EU law or the law of a Member State that applies to the administrator; ● The personal data has been collected in connection with the offer of information society services to children and the consent was given by the holder of parental responsibility for the child. If the User wishes their personal data to be deleted, they should send their request to the Data Administrator via the email specified above. The User has the right to restrict the processing of their personal data by the administrator when: ● They contest the accuracy of the personal data. In this case, the restriction of processing is for a period that allows the administrator to verify the accuracy of the personal data; ● The processing is unlawful, but the User does not want the personal data to be deleted, but instead requires the restriction of its use; ● The administrator no longer needs the personal data for the purposes of the processing, but the User requires it for the establishment, exercise, or defense of legal claims; ● They have objected to the processing pending the verification of whether the legitimate grounds of the administrator override the interests of the User. Right to data portability. The data subject has the right to receive the personal data concerning them, which they have provided to an administrator, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another administrator without hindrance from the administrator to whom the personal data have been provided, where the processing is based on consent or on a contractual obligation and the processing is carried out by automated means. When exercising their right to data portability, the data subject has the right to have the personal data transmitted directly from one administrator to another, where technically feasible. Right to object. Users have the right to object to the administrator against the processing of their personal data. The personal data administrator must cease processing, unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. When objecting to the processing of personal data for direct marketing purposes, the processing must be ceased immediately. Complaint to the supervisory authority Every User has the right to file a complaint against unlawful processing of their personal data to the Commission for Personal Data Protection (Sofia 1592, 2 "Prof. Tsvetan Lazarov" Blvd., kzld@cpdp.bg) or to the competent court. Data collected on this basis is stored for a period no longer than 12 months, in accordance with the provisions of the CPDP.